cryptbot | 57e0906e3b6e13fe8db13cc06ce37d957bfc045afa6e99e9cf8b893ceb57d018

Analysis

max time kernel
147s
max time network
139s
platform
windows10_x64
resource
win10v20201028
submitted
25-12-2020 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe
Size

662KB
MD5

b9e0e5a33a7a99acc1a45f959d7f0516
SHA1

771c6f695993c1599383f396d2fc25a5b9dbdeb2
SHA256

57e0906e3b6e13fe8db13cc06ce37d957bfc045afa6e99e9cf8b893ceb57d018
SHA512

a1a26b98c3fdcd107a804e936d92f96f63d8c555552fd150de9e7cb0b42c71ad62efa33a3c3a8d2ec0c6a425df211f4afb8882f62e80644b78c6e3a4d7cc9134

Score

10^/10

cryptbot danabot 3 banker discovery evasion spyware stealer trojan upx

Malware Config

Extracted

Family

danabot

Version

1732

Botnet

108.62.118.103:443

104.144.64.163:443

192.241.101.68:443

108.62.141.152:443

Attributes

embedded_hash
49574F66CD0103BBD725C08A9805C2BE

rsa_pubkey.plain

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow pid process

32 3800 RUNDLL32.EXE
36 3360 WScript.exe
38 3360 WScript.exe
40 3360 WScript.exe
42 3360 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

File19.exe4_ico.exe6_ico.exevpn_ico.exeSmartClock.exegohgeatmcoth.exe

pid process

1992 File19.exe
3432 4_ico.exe
1256 6_ico.exe
2148 vpn_ico.exe
1892 SmartClock.exe
1196 gohgeatmcoth.exe

flow	pid	process
32	3800	RUNDLL32.EXE
36	3360	WScript.exe
38	3360	WScript.exe
40	3360	WScript.exe
42	3360	WScript.exe

pid	process
1992	File19.exe
3432	4_ico.exe
1256	6_ico.exe
2148	vpn_ico.exe
1892	SmartClock.exe
1196	gohgeatmcoth.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gohgeatmcoth.exe	upx
C:\Users\Admin\AppData\Local\Temp\gohgeatmcoth.exe	upx

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SmartClock.exe6_ico.exevpn_ico.exe4_ico.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SmartClock.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4_ico.exe

Drops startup file 1 IoCs

Processes:

4_ico.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4_ico.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4_ico.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

6_ico.exevpn_ico.exeSmartClock.exe4_ico.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	6_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	vpn_ico.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	SmartClock.exe
Key opened	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Wine	4_ico.exe

Loads dropped DLL 4 IoCs

Processes:

File19.exerundll32.exeRUNDLL32.EXE

pid process

1992 File19.exe
504 rundll32.exe
3800 RUNDLL32.EXE
3800 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

6_ico.exe4_ico.exevpn_ico.exeSmartClock.exe

pid process

1256 6_ico.exe
3432 4_ico.exe
2148 vpn_ico.exe
1892 SmartClock.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1992	File19.exe
504	rundll32.exe
3800	RUNDLL32.EXE
3800	RUNDLL32.EXE

flow	ioc
16	ip-api.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpn_ico.exeRUNDLL32.EXESecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn_ico.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn_ico.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

3244 timeout.exe
2416 timeout.exe
2216 timeout.exe
Modifies registry class 1 IoCs

Processes:

vpn_ico.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings vpn_ico.exe

pid	process
3244	timeout.exe
2416	timeout.exe
2216	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	vpn_ico.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1892 SmartClock.exe

pid	process
1892	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

6_ico.exevpn_ico.exe4_ico.exeSmartClock.exepowershell.exeRUNDLL32.EXEpowershell.exe

pid	process
1256	6_ico.exe
1256	6_ico.exe
2148	vpn_ico.exe
2148	vpn_ico.exe
3432	4_ico.exe
3432	4_ico.exe
1892	SmartClock.exe
1892	SmartClock.exe
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
3800	RUNDLL32.EXE
3800	RUNDLL32.EXE
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	504	rundll32.exe
Token: SeDebugPrivilege	3800	RUNDLL32.EXE
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exeRUNDLL32.EXE

pid process

60 SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe
60 SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe
3800 RUNDLL32.EXE

pid	process
60	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe
60	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe
3800	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.execmd.exeFile19.exe4_ico.exevpn_ico.exe6_ico.execmd.execmd.exegohgeatmcoth.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 60 wrote to memory of 1992	60	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe	File19.exe
PID 60 wrote to memory of 1992	60	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe	File19.exe
PID 60 wrote to memory of 1992	60	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe	File19.exe
PID 60 wrote to memory of 480	60	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe	cmd.exe
PID 60 wrote to memory of 480	60	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe	cmd.exe
PID 60 wrote to memory of 480	60	SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe	cmd.exe
PID 480 wrote to memory of 3244	480	cmd.exe	timeout.exe
PID 480 wrote to memory of 3244	480	cmd.exe	timeout.exe
PID 480 wrote to memory of 3244	480	cmd.exe	timeout.exe
PID 1992 wrote to memory of 3432	1992	File19.exe	4_ico.exe
PID 1992 wrote to memory of 3432	1992	File19.exe	4_ico.exe
PID 1992 wrote to memory of 3432	1992	File19.exe	4_ico.exe
PID 1992 wrote to memory of 1256	1992	File19.exe	6_ico.exe
PID 1992 wrote to memory of 1256	1992	File19.exe	6_ico.exe
PID 1992 wrote to memory of 1256	1992	File19.exe	6_ico.exe
PID 1992 wrote to memory of 2148	1992	File19.exe	vpn_ico.exe
PID 1992 wrote to memory of 2148	1992	File19.exe	vpn_ico.exe
PID 1992 wrote to memory of 2148	1992	File19.exe	vpn_ico.exe
PID 3432 wrote to memory of 1892	3432	4_ico.exe	SmartClock.exe
PID 3432 wrote to memory of 1892	3432	4_ico.exe	SmartClock.exe
PID 3432 wrote to memory of 1892	3432	4_ico.exe	SmartClock.exe
PID 2148 wrote to memory of 1196	2148	vpn_ico.exe	gohgeatmcoth.exe
PID 2148 wrote to memory of 1196	2148	vpn_ico.exe	gohgeatmcoth.exe
PID 2148 wrote to memory of 1196	2148	vpn_ico.exe	gohgeatmcoth.exe
PID 2148 wrote to memory of 4088	2148	vpn_ico.exe	WScript.exe
PID 2148 wrote to memory of 4088	2148	vpn_ico.exe	WScript.exe
PID 2148 wrote to memory of 4088	2148	vpn_ico.exe	WScript.exe
PID 1256 wrote to memory of 1132	1256	6_ico.exe	cmd.exe
PID 1256 wrote to memory of 1132	1256	6_ico.exe	cmd.exe
PID 1256 wrote to memory of 1132	1256	6_ico.exe	cmd.exe
PID 1132 wrote to memory of 2416	1132	cmd.exe	timeout.exe
PID 1132 wrote to memory of 2416	1132	cmd.exe	timeout.exe
PID 1132 wrote to memory of 2416	1132	cmd.exe	timeout.exe
PID 1256 wrote to memory of 660	1256	6_ico.exe	cmd.exe
PID 1256 wrote to memory of 660	1256	6_ico.exe	cmd.exe
PID 1256 wrote to memory of 660	1256	6_ico.exe	cmd.exe
PID 660 wrote to memory of 2216	660	cmd.exe	timeout.exe
PID 660 wrote to memory of 2216	660	cmd.exe	timeout.exe
PID 660 wrote to memory of 2216	660	cmd.exe	timeout.exe
PID 1196 wrote to memory of 504	1196	gohgeatmcoth.exe	rundll32.exe
PID 1196 wrote to memory of 504	1196	gohgeatmcoth.exe	rundll32.exe
PID 1196 wrote to memory of 504	1196	gohgeatmcoth.exe	rundll32.exe
PID 504 wrote to memory of 3800	504	rundll32.exe	RUNDLL32.EXE
PID 504 wrote to memory of 3800	504	rundll32.exe	RUNDLL32.EXE
PID 504 wrote to memory of 3800	504	rundll32.exe	RUNDLL32.EXE
PID 3800 wrote to memory of 3768	3800	RUNDLL32.EXE	powershell.exe
PID 3800 wrote to memory of 3768	3800	RUNDLL32.EXE	powershell.exe
PID 3800 wrote to memory of 3768	3800	RUNDLL32.EXE	powershell.exe
PID 2148 wrote to memory of 3360	2148	vpn_ico.exe	WScript.exe
PID 2148 wrote to memory of 3360	2148	vpn_ico.exe	WScript.exe
PID 2148 wrote to memory of 3360	2148	vpn_ico.exe	WScript.exe
PID 3800 wrote to memory of 3204	3800	RUNDLL32.EXE	powershell.exe
PID 3800 wrote to memory of 3204	3800	RUNDLL32.EXE	powershell.exe
PID 3800 wrote to memory of 3204	3800	RUNDLL32.EXE	powershell.exe
PID 3204 wrote to memory of 3324	3204	powershell.exe	nslookup.exe
PID 3204 wrote to memory of 3324	3204	powershell.exe	nslookup.exe
PID 3204 wrote to memory of 3324	3204	powershell.exe	nslookup.exe
PID 3800 wrote to memory of 648	3800	RUNDLL32.EXE	schtasks.exe
PID 3800 wrote to memory of 648	3800	RUNDLL32.EXE	schtasks.exe
PID 3800 wrote to memory of 648	3800	RUNDLL32.EXE	schtasks.exe
PID 3800 wrote to memory of 192	3800	RUNDLL32.EXE	schtasks.exe
PID 3800 wrote to memory of 192	3800	RUNDLL32.EXE	schtasks.exe
PID 3800 wrote to memory of 192	3800	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Local\Temp\File19.exe
"C:\Users\Admin\AppData\Local\Temp\File19.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\amtwfcuyrtrkc & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:2416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\amtwfcuyrtrkc & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:2216

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\gohgeatmcoth.exe
"C:\Users\Admin\AppData\Local\Temp\gohgeatmcoth.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\GOHGEA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\GOHGEA~1.EXE
5⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\GOHGEA~1.DLL,YEAgfI1V
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpDE30.tmp.ps1"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFFB5.tmp.ps1"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
8⤵
PID:3324

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
7⤵
PID:648

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
7⤵
PID:192

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vxkxegmotbf.vbs"
4⤵
PID:4088

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wojrojg.vbs"
4⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\8dAjrNrT & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.21235.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\amtwfcuyrtrkc\46173476.txt

Download Submit
C:\ProgramData\amtwfcuyrtrkc\8372422.txt

Download Submit
C:\ProgramData\amtwfcuyrtrkc\Files\_INFOR~1.TXT

Download Submit
C:\ProgramData\amtwfcuyrtrkc\NL_202~1.ZIP

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dAjrNrT\DYNWPP~1.ZIP
MD5
af7a08dea65f808535bf7d80dcda7dee

SHA1
315d199401cf6d8346e60a00399ab248e7e213df

SHA256
ef4b44ef84889549bffaf59997a57288dc06dd0872ca02426ae7fa25d0fc9637

SHA512
cbbbcccbf97540ff7b6dffcbc344505fc4525f3ccd2f94e73901bfc4e1a9a33642037fcc3c11c707c10dd2fdc9546e1c0722de32fa2543dc64c51bbd0a257ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dAjrNrT\NLGNTU~1.ZIP

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dAjrNrT\_Files\_INFOR~1.TXT

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dAjrNrT\_Files\_SCREE~1.JPE
MD5
d851659a62482415474a71c5003fefc1

SHA1
7c1b7ddadd2998e00da1e46c6a36a88ca1b76722

SHA256
9adb53d92a3d16fa191a9618fd9358fcddd9398c5d9dd922699cf73885501799

SHA512
1e6b840d2c1c90638b9231a3fbbe56f5a0beeecf7408ec82b2879432b1faebdd2b4ecb1e3554843f5136a03aae2f6a68fef04427abc55061a463a4ec79c42753

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dAjrNrT\files_\SCREEN~1.JPG
MD5
d851659a62482415474a71c5003fefc1

SHA1
7c1b7ddadd2998e00da1e46c6a36a88ca1b76722

SHA256
9adb53d92a3d16fa191a9618fd9358fcddd9398c5d9dd922699cf73885501799

SHA512
1e6b840d2c1c90638b9231a3fbbe56f5a0beeecf7408ec82b2879432b1faebdd2b4ecb1e3554843f5136a03aae2f6a68fef04427abc55061a463a4ec79c42753

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dAjrNrT\files_\SYSTEM~1.TXT
MD5
639878ce767f326f953a17d12a3b7ad6

SHA1
aa44a2a55196b59756c884aac91c1747f301b2ed

SHA256
c03e1403d305896af65fe13d5775a7081e0aa543d45f3d8a0da54428fb38192d

SHA512
4dd5c31feae9791abfd128f24fde7ad37e60780dd91b50cc1b74980e3dceb95f9d808365a2088b14e9ac94b81f720d29c59ba5cbb057a551d2363352ddd4704a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File19.exe
MD5
fb72954eefa1ddb5ca1fb1c6f1850ae9

SHA1
2945b7bb3b0a3e9d4849a9ea4543b473e80b67b0

SHA256
b6b9283355f99341158e3865293f57ae08e11327b911f611d283449efba83d14

SHA512
cf23674729ad51fb7bde37aadb68c3aaa84c338abedaee535ce15abf9fb7197d395fd0fd9beebe33798eb9e1b844d3f756187db4e493a1a0b6784ebc882cd518

Download Submit
C:\Users\Admin\AppData\Local\Temp\File19.exe
MD5
fb72954eefa1ddb5ca1fb1c6f1850ae9

SHA1
2945b7bb3b0a3e9d4849a9ea4543b473e80b67b0

SHA256
b6b9283355f99341158e3865293f57ae08e11327b911f611d283449efba83d14

SHA512
cf23674729ad51fb7bde37aadb68c3aaa84c338abedaee535ce15abf9fb7197d395fd0fd9beebe33798eb9e1b844d3f756187db4e493a1a0b6784ebc882cd518

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOHGEA~1.DLL

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\gohgeatmcoth.exe
MD5
56cbf34ee3f8e4164c419e9621d5bcc2

SHA1
3a388fcacbe4565770e3d389dae029d8a2e85993

SHA256
df53dd9918ccb39c9e031e09609c756f6f0424e16be35a0f37d919e8a80534dc

SHA512
d6f9e29f205ca91326b721d84982f98b6074ea49988a2e2e03493c098a8c5637305de0369819c846e6e7130cb1ee181dac1ca3877fa73396fb92451d3db26546

Download Submit
C:\Users\Admin\AppData\Local\Temp\gohgeatmcoth.exe
MD5
56cbf34ee3f8e4164c419e9621d5bcc2

SHA1
3a388fcacbe4565770e3d389dae029d8a2e85993

SHA256
df53dd9918ccb39c9e031e09609c756f6f0424e16be35a0f37d919e8a80534dc

SHA512
d6f9e29f205ca91326b721d84982f98b6074ea49988a2e2e03493c098a8c5637305de0369819c846e6e7130cb1ee181dac1ca3877fa73396fb92451d3db26546

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE30.tmp.ps1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE31.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFB5.tmp.ps1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFFB6.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxkxegmotbf.vbs

Download Submit
C:\Users\Admin\AppData\Local\Temp\wojrojg.vbs

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Download Submit
\Users\Admin\AppData\Local\Temp\GOHGEA~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\GOHGEA~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\GOHGEA~1.DLL

Download Submit
\Users\Admin\AppData\Local\Temp\nsc989D.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/60-3-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/60-2-0x00000000053E1000-0x00000000053E2000-memory.dmp

Filesize
4KB

Download
memory/192-98-0x0000000000000000-mapping.dmp

Download
memory/480-7-0x0000000000000000-mapping.dmp

Download
memory/504-54-0x0000000004D50000-0x00000000053AF000-memory.dmp

Filesize
6.4MB

Download
memory/504-51-0x0000000000000000-mapping.dmp

Download
memory/648-97-0x0000000000000000-mapping.dmp

Download
memory/660-49-0x0000000000000000-mapping.dmp

Download
memory/1132-43-0x0000000000000000-mapping.dmp

Download
memory/1196-41-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/1196-36-0x0000000000000000-mapping.dmp

Download
memory/1256-25-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/1256-18-0x0000000000000000-mapping.dmp

Download
memory/1256-28-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1892-31-0x0000000000000000-mapping.dmp

Download
memory/1892-35-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1892-34-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/1992-4-0x0000000000000000-mapping.dmp

Download
memory/2148-29-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/2148-26-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/2148-22-0x0000000000000000-mapping.dmp

Download
memory/2216-50-0x0000000000000000-mapping.dmp

Download
memory/2416-48-0x0000000000000000-mapping.dmp

Download
memory/3204-90-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/3204-88-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/3204-81-0x0000000070B90000-0x000000007127E000-memory.dmp

Filesize
6.9MB

Download
memory/3204-79-0x0000000000000000-mapping.dmp

Download
memory/3244-15-0x0000000000000000-mapping.dmp

Download
memory/3324-95-0x0000000000000000-mapping.dmp

Download
memory/3360-71-0x0000000000000000-mapping.dmp

Download
memory/3432-27-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/3432-16-0x0000000000000000-mapping.dmp

Download
memory/3432-30-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3768-61-0x0000000070E60000-0x000000007154E000-memory.dmp

Filesize
6.9MB

Download
memory/3768-70-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/3768-74-0x0000000008A10000-0x0000000008A11000-memory.dmp

Filesize
4KB

Download
memory/3768-75-0x000000000A0D0000-0x000000000A0D1000-memory.dmp

Filesize
4KB

Download
memory/3768-76-0x0000000009650000-0x0000000009651000-memory.dmp

Filesize
4KB

Download
memory/3768-77-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/3768-69-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/3768-68-0x00000000084E0000-0x00000000084E1000-memory.dmp

Filesize
4KB

Download
memory/3768-67-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/3768-66-0x0000000008120000-0x0000000008121000-memory.dmp

Filesize
4KB

Download
memory/3768-65-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/3768-64-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/3768-63-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/3768-62-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/3768-60-0x0000000000000000-mapping.dmp

Download
memory/3800-59-0x0000000004890000-0x0000000004EEF000-memory.dmp

Filesize
6.4MB

Download
memory/3800-55-0x0000000000000000-mapping.dmp

Download
memory/4088-40-0x0000000000000000-mapping.dmp

Download